b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
29-08-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe
Size

118KB
MD5

f99ef8eb09b24dd7026e9680f666a54e
SHA1

f8ee5da2e1ce2f12481b67494b583f1781a95de4
SHA256

b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949
SHA512

93f3590216028c22b5c26aca08534f677b1b9e82f57f454e4ca5601110cd41de42317a2041d97eb2d3230509a8bef1807570731c7d0c7f18e81e2487086dc8a6
SSDEEP

1536:OmfgLdQAQfcfymNG+Kxwmn4Y4Ykv8JEn6M04HiKq7UkPlHae5:7ftffjmNoxwmn4YtkcQ6M04HalEy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File created	C:\Program Files\Windows Mail\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe
2964	Logo1_.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2960	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	28
PID 2076 wrote to memory of 2960	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	28
PID 2076 wrote to memory of 2960	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	28
PID 2076 wrote to memory of 2960	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	28
PID 2076 wrote to memory of 2964	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	29
PID 2076 wrote to memory of 2964	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	29
PID 2076 wrote to memory of 2964	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	29
PID 2076 wrote to memory of 2964	2076	b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe	29
PID 2964 wrote to memory of 2968	2964	Logo1_.exe	30
PID 2964 wrote to memory of 2968	2964	Logo1_.exe	30
PID 2964 wrote to memory of 2968	2964	Logo1_.exe	30
PID 2964 wrote to memory of 2968	2964	Logo1_.exe	30
PID 2968 wrote to memory of 2952	2968	net.exe	33
PID 2968 wrote to memory of 2952	2968	net.exe	33
PID 2968 wrote to memory of 2952	2968	net.exe	33
PID 2968 wrote to memory of 2952	2968	net.exe	33
PID 2964 wrote to memory of 1224	2964	Logo1_.exe	20
PID 2964 wrote to memory of 1224	2964	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe
  "C:\Users\Admin\AppData\Local\Temp\b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AFA.bat
    3⤵
    - Deletes itself
    PID:2960
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
edf07d233b5fa4fbd83febae9adf82d9

SHA1
59dc0562df337c65f823037d474db6fe30c18e57

SHA256
3cfee539be1a2652082a554d73be98d00611a00e9a65c61877c843dea89d3a0d

SHA512
d17ee9f317bcf4f1fbdae2adc71b30427d0f9e398295c40333c871d6ee58a487682fb238f3e3e78f5cca28e6af86497eb29aea2dbc10ecdf9b7fde7a7194f30b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7AFA.bat

Filesize
722B

MD5
ebd3889848b7def0c68e13ccd3a0dccf

SHA1
1d25b92939923cef734c39000ea950669c0271e9

SHA256
67cf68637bd0fbc0b6b91d111383ea6af9cf84e976a9b9e6e23aef64c9ebd228

SHA512
c4bd18879def94b7964f46b219ad49c143230139762634ec16ad06edec95cd07de830440e6649bf4a981108c0b1a856ed5bd0439eb302b9fd5ae3626e936667f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7AFA.bat

Filesize
722B

MD5
ebd3889848b7def0c68e13ccd3a0dccf

SHA1
1d25b92939923cef734c39000ea950669c0271e9

SHA256
67cf68637bd0fbc0b6b91d111383ea6af9cf84e976a9b9e6e23aef64c9ebd228

SHA512
c4bd18879def94b7964f46b219ad49c143230139762634ec16ad06edec95cd07de830440e6649bf4a981108c0b1a856ed5bd0439eb302b9fd5ae3626e936667f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b82426cda9ed45d3321498c4773c2b1472de2baa01756812b1f87d73ac54c949.exe.exe

Filesize
91KB

MD5
13bd3153788cd2b2507707cf4cfffad3

SHA1
37222b1be626903e89a840760394561bf0f46264

SHA256
33870552c399350caa27ef708d0a883a366da5e08b7231301103427da5092b3a

SHA512
f0f1fd5ed49214c68c22832c9f33acc826a4e4284fafa51b14241ffb04b2c0f30fe356c4110270768981aa1fe8bdc8beb9a19b01ffe872dbb925fd5280ad0f6d

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
76d139dc82d0b5e4f8f9231f1a8ec2b4

SHA1
d3af685526a7e0dddef11d6a5ce4a28334c4bf8a

SHA256
9510462fe48643e4b616c731af8388e5fb614b36da73122d21f85a96aec71d66

SHA512
967ef8402d092b89f11190cb8dfa37068f6e70f6b049139ddd38ca2e12e180616cc9e6b8268c60844e8a0c4bd44f98a81723f98ec0ab2aa76c6aa5507c4744db

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
76d139dc82d0b5e4f8f9231f1a8ec2b4

SHA1
d3af685526a7e0dddef11d6a5ce4a28334c4bf8a

SHA256
9510462fe48643e4b616c731af8388e5fb614b36da73122d21f85a96aec71d66

SHA512
967ef8402d092b89f11190cb8dfa37068f6e70f6b049139ddd38ca2e12e180616cc9e6b8268c60844e8a0c4bd44f98a81723f98ec0ab2aa76c6aa5507c4744db

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
76d139dc82d0b5e4f8f9231f1a8ec2b4

SHA1
d3af685526a7e0dddef11d6a5ce4a28334c4bf8a

SHA256
9510462fe48643e4b616c731af8388e5fb614b36da73122d21f85a96aec71d66

SHA512
967ef8402d092b89f11190cb8dfa37068f6e70f6b049139ddd38ca2e12e180616cc9e6b8268c60844e8a0c4bd44f98a81723f98ec0ab2aa76c6aa5507c4744db

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
76d139dc82d0b5e4f8f9231f1a8ec2b4

SHA1
d3af685526a7e0dddef11d6a5ce4a28334c4bf8a

SHA256
9510462fe48643e4b616c731af8388e5fb614b36da73122d21f85a96aec71d66

SHA512
967ef8402d092b89f11190cb8dfa37068f6e70f6b049139ddd38ca2e12e180616cc9e6b8268c60844e8a0c4bd44f98a81723f98ec0ab2aa76c6aa5507c4744db

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\_desktop.ini

Filesize
9B

MD5
2326d479b287193a70f520700dc8d23e

SHA1
afea66d3788a50debd6f5d4c9dd51f68a4477e64

SHA256
95d41561a1467d20977f59108e85da181e0b4dfd3db9e40182ae7378c4a927f8

SHA512
cb971c406ddf7147536a6a1569d4ff49d7219aa52cde5d110be1109874d66daace832d423d7969af9e6bbc9738a65734c7e68e994591b7677aad51fa0f52cf37

Download Submit
memory/1224-64-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2076-22-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2076-16-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-73-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2960-58-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2964-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-1891-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-3351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download